Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

can't build image if root filesystem is read only #335

Open
laversa opened this issue Mar 21, 2021 · 2 comments
Open

can't build image if root filesystem is read only #335

laversa opened this issue Mar 21, 2021 · 2 comments

Comments

@laversa
Copy link

laversa commented Mar 21, 2021

I am not able to build images when enable security best practices to run the container with read-only root file system.

Using --read-only option to make root file system read-only get the following error

$ echo "FROM nginx:1.19.5-alpine" > Dockerfile
$ docker run  --rm -it \
    --name img \
    --volume $(PWD):/home/user/src:ro \
    --workdir /home/user/src \
    --security-opt seccomp=unconfined \
    --security-opt apparmor=unconfined \
    --read-only \
    r.j3ss.co/img build -t user/myimage .
Error: error creating dir for embedded binaries: mkdir /home/user/.local: read-only file system

Using temporary file system --tmpfs /home/user/.local

$ echo "FROM nginx:1.19.5-alpine" > Dockerfile
$ docker run  --rm -it \
    --name img \
    --volume ${PWD}:/home/user/src:ro \
    --workdir /home/user/src \
    --security-opt seccomp=unconfined \
    --security-opt apparmor=unconfined \
    --read-only \
    --tmpfs /home/user/.local \
    r.j3ss.co/img build -t user/myimage .
Error: unable to check runc version

Using volume --volume ${PWD}/.local:/home/user/.local

$ echo "FROM nginx:1.19.5-alpine" > Dockerfile
$ mkdir .local
$ docker run  --rm -it \
    --name img \
    --volume ${PWD}:/home/user/src:ro \
    --workdir /home/user/src \
    --security-opt seccomp=unconfined \
    --security-opt apparmor=unconfined \
    --read-only \
    --volume ${PWD}/.local:/home/user/.local \
    r.j3ss.co/img build -t user/myimage .
Building docker.io/user/myimage:latest
Setting up the rootfs... this may take a bit.
WARN[0000] Process sandbox is not available, consider unmasking procfs: mount: permission denied (are you root?) 
WARN[0000] using host network as the default            
[+] Building 0.2s (2/2) FINISHED                                                                                                                              
 => [internal] load .dockerignore                                                                                                                        0.1s
 => => transferring context: 2B                                                                                                                          0.0s
 => [internal] load build definition from Dockerfile                                                                                                     0.2s
 => => transferring dockerfile: 62B                                                                                                                      0.0s
Error: failed to solve: failed to solve with frontend dockerfile.v0: failed to read dockerfile: failed to create temp dir: mkdir /tmp/buildkit-mount103012371: read-only file system

Using volume --volume ${PWD}/.local:/home/user/.local and --tmpfs /tmp

$ echo "FROM nginx:1.19.5-alpine" > Dockerfile
$ mkdir .local
$ docker run  --rm -it \
    --name img \
    --volume ${PWD}:/home/user/src:ro \
    --workdir /home/user/src \
    --security-opt seccomp=unconfined \
    --security-opt apparmor=unconfined \
    --read-only \
    --volume ${PWD}/.local:/home/user/.local \
    --tmpfs /tmp \
    r.j3ss.co/img build -t user/myimage .
Building docker.io/user/myimage:latest
Setting up the rootfs... this may take a bit.
WARN[0000] Process sandbox is not available, consider unmasking procfs: mount: permission denied (are you root?) 
WARN[0000] using host network as the default            
[+] Building 0.1s (2/2) FINISHED                                                                                                                              
 => [internal] load build definition from Dockerfile                                                                                                     0.1s
 => => transferring dockerfile: 31B                                                                                                                      0.0s
 => [internal] load .dockerignore                                                                                                                        0.1s
 => => transferring context: 2B                                                                                                                          0.0s
Error: failed to solve: failed to solve with frontend dockerfile.v0: failed to read dockerfile: failed to mount /tmp/buildkit-mount663287699: [{Type:bind Source:/home/user/.local/share/img/runc/native/snapshots/snapshots/2 Options:[rbind ro]}]: operation not permitted

is it posible to use img build with read-only root file system restriction ?
@laversa laversa changed the title can't build image if root filesystem as read only can't build image if root filesystem is read only Mar 21, 2021
@gabrywu
Copy link

gabrywu commented Jul 16, 2021

Yes, I want this feature

@MrNocTV
Copy link

MrNocTV commented Dec 22, 2022
edited
Loading

I have the same problem. Please help to fix this issue.
I install img inside a container in Kubernetes

WARN[0000] Process sandbox is not available, consider unmasking procfs:
WARN[0000] using host network as the default
[+] Building 0.0s (2/2) FINISHED
 => [internal] load .dockerignore                                                                                                                                                                                                                        0.0s
 => => transferring context: 2B                                                                                                                                                                                                                          0.0s
 => [internal] load build definition from Dockerfile                                                                                                                                                                                                     0.0s
 => => transferring dockerfile: 32B                                                                                                                                                                                                                      0.0s
Error: failed to solve: failed to solve with frontend dockerfile.v0: failed to read dockerfile: failed to mount /tmp/buildkit-mount4015711986: [{Type:bind Source:/root/.local/share/img/runc/native/snapshots/snapshots/2 Options:[rbind ro]}]: operation not permitted

UPDATED:
It is mentioned here,
#115

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gabrywu @MrNocTV @laversa